Security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle products

Wednesday May 09, 2007

A man is going on vacation (ie: on holiday) - and he's worried
about the possibility of someone breaking into his house whilst he's
away; so he checks all the window locks from inside the house, steps
outside, walks around the house to inspect for anything he's missed -
checking that patio doors, etc, are locked - then locks his front door
and drives off.
What's he done wrong?

...which is my usual schtick for trying to explain the importance of
doing things in the right order, because even if you have the right
security-ingredients you can still mess up by not using them properly,
or not laying them out in a sensible manner.
I was blown away by some of the creativity that was provided in
the responses
- the person who went for the jugular and got my typically sought-for
answer was Andy Paton:

While he was busy checking the windows and backdoor he left the front door unlocked!!

...which is the obvious flaw in the process; it's astonishing how many
people completely miss that.
That said - and thank you Andy - this being an open question there is always room
for a different perspective, eg: trojan horses:

My first thought was that it has to relate to the "then locks his
front door" i.e. he hasn't 'tested' his security from the outside in
the state it will actually be in. As the other comment mentions, he
ahs also left the door unlocked while checking! And the second thought
was around "and drives off" - the car present/missing is a clue of his
absence but I can't see much that you can do about that unless you
religously use the garage (which isn't stated either way, so I supect
it isn't that).

...the architectural and integrational:

Forrest:

assuming it's a single story house without any other mean of
entrance except doors and windows and all access will need separate
keys; so he checks all the window locks from inside the house - should
check/test the locks from the outside. steps outside - How, through
what? - Lock it from the outside before proceed. Checking that patio
doors - How does he protect it? it's a big visual vulnerability. Does
he taken steps to make like the house has someone living [in it and
is] not abandoned. interactive :)

...and the slightly tongue-in-cheek operational risk:

Tom Hawtin:

He hasn't checked that the iron is switched off. He returns to find a
perfectly secure but somewhat charred house. With two weeks worth of
milk on the doorstep.

...all of these are legitimate and interesting answers; even the last
one by analogy of the occasion I saw someone enable system-auditing in
a particularly nitpicky mode, only to see the machine crash from
filling its root partition two days later.
This is related to the reason I generally put
/var/log and /var/adm on a partition completely separate
from root and the normal /var - it's a signature perversity of a
Muffett-specified machine, but your machine is at less risk from log-flooding.

So, next time I have to stand up and give this talk to somebody, I'll have
something extra to say. Thank you folks, and thank you for sharing.
Thank you also to Tom for this little gem which made me smile:

He should check that the front door is locked, from the inside?
My father's old front door you could open the lock through the
letterbox using a handily located small crowbar.

...which just goes to prove that security can be perfectly acceptable
if it fits your environment; I still know places where nobody bothers
to lock their doors when they go out for the day, but nowadays they seem
somehow fewer and further between...

About

This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.